Merge remote-tracking branch 'upstream/master' into mergeback-2018-10-11

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -1,3 +1,4 @@
+| addEventListener.js:2:20:2:29 | event.data | Cross-site scripting vulnerability due to $@. | addEventListener.js:1:43:1:47 | event | user-provided value |
 | jquery.js:4:5:4:11 | tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:33 | document.location | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/addEventListener.js

@@ -0,0 +1,3 @@
+this.addEventListener('message', function(event) {
+    document.write(event.data); // NOT OK
+})

javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected

@@ -1,8 +1,8 @@
-| bufferRead.js:12:22:12:43 | new Buf ... s.size) | $@ flows directly to Http request body | bufferRead.js:33:21:33:28 | postData | File access |
-| googlecompiler.js:44:54:44:57 | data | $@ flows directly to Http request body | googlecompiler.js:38:18:38:26 | post_data | File access |
-| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | $@ flows directly to Http request body | readFileSync.js:26:18:26:18 | s | File access |
-| readStreamRead.js:13:21:13:35 | readable.read() | $@ flows directly to Http request body | readStreamRead.js:30:19:30:23 | chunk | File access |
-| request.js:28:52:28:55 | data | $@ flows directly to Http request body | request.js:8:11:8:20 | {jsonData} | File access |
-| request.js:43:51:43:54 | data | $@ flows directly to Http request body | request.js:16:11:23:3 | {\\n    u ... ody\\n  } | File access |
-| sentAsHeaders.js:10:79:10:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:14:20:19:9 | {\\n      ...       } | File access |
-| sentAsHeaders.js:10:79:10:84 | buffer | $@ flows directly to Http request body | sentAsHeaders.js:20:20:25:9 | {\\n      ...       } | File access |
+| bufferRead.js:33:21:33:28 | postData | $@ flows directly to outbound network request | bufferRead.js:12:22:12:43 | new Buf ... s.size) | File data |
+| googlecompiler.js:38:18:38:26 | post_data | $@ flows directly to outbound network request | googlecompiler.js:44:54:44:57 | data | File data |
+| readFileSync.js:26:18:26:18 | s | $@ flows directly to outbound network request | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | File data |
+| readStreamRead.js:30:19:30:23 | chunk | $@ flows directly to outbound network request | readStreamRead.js:13:21:13:35 | readable.read() | File data |
+| request.js:8:11:8:20 | {jsonData} | $@ flows directly to outbound network request | request.js:28:52:28:55 | data | File data |
+| request.js:16:11:23:3 | {\\n    u ... ody\\n  } | $@ flows directly to outbound network request | request.js:43:51:43:54 | data | File data |
+| sentAsHeaders.js:14:20:19:9 | {\\n      ...       } | $@ flows directly to outbound network request | sentAsHeaders.js:10:79:10:84 | buffer | File data |
+| sentAsHeaders.js:20:20:25:9 | {\\n      ...       } | $@ flows directly to outbound network request | sentAsHeaders.js:10:79:10:84 | buffer | File data |

javascript/ql/test/query-tests/Security/CWE-200/express-send-file.js

@@ -0,0 +1,6 @@
+var express = require('express'),
+    app = express();
+
+app.get('/getFooFile', function(req, res) {
+    res.sendFile("foo"); // OK (for now) since this is a server-side response
+});

javascript/ql/test/query-tests/Security/CWE-200/fs-read-externs.js

@@ -0,0 +1,78 @@
+// Automatically generated from TypeScript type definitions provided by
+// DefinitelyTyped (https://github.com/DefinitelyTyped/DefinitelyTyped),
+// which is licensed under the MIT license; see file DefinitelyTyped-LICENSE
+// in parent directory.
+// Type definitions for Node.js 10.5.x
+// Project: http://nodejs.org/
+// Definitions by: Microsoft TypeScript <http://typescriptlang.org>
+//                 DefinitelyTyped <https://github.com/DefinitelyTyped/DefinitelyTyped>
+//                 Parambir Singh <https://github.com/parambirs>
+//                 Christian Vaagland Tellnes <https://github.com/tellnes>
+//                 Wilco Bakker <https://github.com/WilcoBakker>
+//                 Nicolas Voigt <https://github.com/octo-sniffle>
+//                 Chigozirim C. <https://github.com/smac89>
+//                 Flarna <https://github.com/Flarna>
+//                 Mariusz Wiktorczyk <https://github.com/mwiktorczyk>
+//                 wwwy3y3 <https://github.com/wwwy3y3>
+//                 Deividas Bakanas <https://github.com/DeividasBakanas>
+//                 Kelvin Jin <https://github.com/kjin>
+//                 Alvis HT Tang <https://github.com/alvis>
+//                 Sebastian Silbermann <https://github.com/eps1lon>
+//                 Hannes Magnusson <https://github.com/Hannes-Magnusson-CK>
+//                 Alberto Schiabel <https://github.com/jkomyno>
+//                 Klaus Meinhardt <https://github.com/ajafff>
+//                 Huw <https://github.com/hoo29>
+//                 Nicolas Even <https://github.com/n-e>
+//                 Bruno Scheufler <https://github.com/brunoscheufler>
+//                 Mohsen Azimi <https://github.com/mohsen1>
+//                 Hoàng Văn Khải <https://github.com/KSXGitHub>
+//                 Alexander T. <https://github.com/a-tarasyuk>
+//                 Lishude <https://github.com/islishude>
+//                 Andrew Makarov <https://github.com/r3nya>
+//                 Zane Hannan AU <https://github.com/ZaneHannanAU>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+
+/**
+ * @externs
+ * @fileoverview Definitions for module "fs"
+ */
+var fs = {};
+
+/**
+ * @param {number} fd
+ * @param {Buffer} buffer
+ * @param {number} offset
+ * @param {number} length
+ * @param {number} position
+ * @param {(function(NodeJS.ErrnoException, number, Buffer): void)=} callback
+ * @return {void}
+ */
+fs.read = function(fd, buffer, offset, length, position, callback) {};
+
+/**
+ * @param {string} filename
+ * @param {string} encoding
+ * @param {(function(NodeJS.ErrnoException, string): void)} callback
+ * @return {void}
+ */
+fs.readFile = function(filename, encoding, callback) {};
+/**
+ * @param {string} filename
+ * @param {{encoding: string, flag: string}} options
+ * @param {(function(NodeJS.ErrnoException, string): void)} callback
+ * @return {void}
+ */
+fs.readFile = function(filename, options, callback) {};
+/**
+ * @param {string} filename
+ * @param {{flag: string}} options
+ * @param {(function(NodeJS.ErrnoException, Buffer): void)} callback
+ * @return {void}
+ */
+fs.readFile = function(filename, options, callback) {};
+/**
+ * @param {string} filename
+ * @param {(function(NodeJS.ErrnoException, Buffer): void)} callback
+ * @return {void}
+ */
+fs.readFile = function(filename, callback) {};

javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.expected

@@ -1,3 +1,3 @@
-| tst.js:16:33:16:33 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
-| tst.js:19:25:19:25 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
-| tst.js:24:22:24:22 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data received from Http response |
+| tst.js:16:33:16:33 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |
+| tst.js:19:25:19:25 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |
+| tst.js:24:22:24:22 | c | $@ flows to file system | tst.js:15:26:15:26 | c | Untrusted data |

javascript/ql/test/query-tests/Security/CWE-912/fs-writeFile-externs.js

@@ -0,0 +1,62 @@
+// Automatically generated from TypeScript type definitions provided by
+// DefinitelyTyped (https://github.com/DefinitelyTyped/DefinitelyTyped),
+// which is licensed under the MIT license; see file DefinitelyTyped-LICENSE
+// in parent directory.
+// Type definitions for Node.js 10.5.x
+// Project: http://nodejs.org/
+// Definitions by: Microsoft TypeScript <http://typescriptlang.org>
+//                 DefinitelyTyped <https://github.com/DefinitelyTyped/DefinitelyTyped>
+//                 Parambir Singh <https://github.com/parambirs>
+//                 Christian Vaagland Tellnes <https://github.com/tellnes>
+//                 Wilco Bakker <https://github.com/WilcoBakker>
+//                 Nicolas Voigt <https://github.com/octo-sniffle>
+//                 Chigozirim C. <https://github.com/smac89>
+//                 Flarna <https://github.com/Flarna>
+//                 Mariusz Wiktorczyk <https://github.com/mwiktorczyk>
+//                 wwwy3y3 <https://github.com/wwwy3y3>
+//                 Deividas Bakanas <https://github.com/DeividasBakanas>
+//                 Kelvin Jin <https://github.com/kjin>
+//                 Alvis HT Tang <https://github.com/alvis>
+//                 Sebastian Silbermann <https://github.com/eps1lon>
+//                 Hannes Magnusson <https://github.com/Hannes-Magnusson-CK>
+//                 Alberto Schiabel <https://github.com/jkomyno>
+//                 Klaus Meinhardt <https://github.com/ajafff>
+//                 Huw <https://github.com/hoo29>
+//                 Nicolas Even <https://github.com/n-e>
+//                 Bruno Scheufler <https://github.com/brunoscheufler>
+//                 Mohsen Azimi <https://github.com/mohsen1>
+//                 Hoàng Văn Khải <https://github.com/KSXGitHub>
+//                 Alexander T. <https://github.com/a-tarasyuk>
+//                 Lishude <https://github.com/islishude>
+//                 Andrew Makarov <https://github.com/r3nya>
+//                 Zane Hannan AU <https://github.com/ZaneHannanAU>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+ /**
+ * @externs
+ * @fileoverview Definitions for module "fs"
+ */
+ var fs = {};
+
+/**
+ * @param {string} filename
+ * @param {*} data
+ * @param {(function(NodeJS.ErrnoException): void)=} callback
+ * @return {void}
+ */
+fs.writeFile = function(filename, data, callback) {};
+ /**
+ * @param {string} filename
+ * @param {*} data
+ * @param {{encoding: string, mode: number, flag: string}} options
+ * @param {(function(NodeJS.ErrnoException): void)=} callback
+ * @return {void}
+ */
+fs.writeFile = function(filename, data, options, callback) {};
+ /**
+ * @param {string} filename
+ * @param {*} data
+ * @param {{encoding: string, mode: string, flag: string}} options
+ * @param {(function(NodeJS.ErrnoException): void)=} callback
+ * @return {void}
+ */
+fs.writeFile = function(filename, data, options, callback) {};